Category: Security

Aug 15 2016

Group claims to hack NSA-tied hackers, posts exploits as proof

(credit: Shadow Brokers)

In what security experts say is either a one-of-a-kind breach or an elaborate hoax, an anonymous group has published what it claims are sophisticated software tools belonging to an elite team of hackers tied to the US National Security Agency.

In a recently published blog post, the group calling itself Shadow Brokers claims the leaked set of exploits were obtained after members hacked Equation Group (the post has since been removed from Tumblr). Last year, Kaspersky Lab researchers described Equation Group as one of the world's most advanced hacking groups, with ties to both the Stuxnet and Flame espionage malware platforms. The compressed data accompanying the Shadow Broker post is slightly bigger than 256 megabytes and purports to contain a series of hacking tools dating back to 2010. While it wasn't immediately possible for outsiders to prove the posted data—mostly batch scripts and poorly coded python scripts—belonged to Equation Group, there was little doubt the data have origins with some advanced hacking group.

Not fully fake

"These files are not fully fake for sure," Bencsáth Boldizsár, a researcher with Hungary-based CrySyS who is widely credited with discovering Flame, told Ars in an e-mail. "Most likely they are part of the NSA toolset, judging just by the volume and peeps into the samples. At first glance it is sound that these are important attack related files, and yes, the first guess would be Equation Group."

Read 6 remaining paragraphs | Comments

Aug 15 2016

Cerber Ransomware Updates Configuration File

McAfee Labs has recently analyzed Version 2 of Cerber, one of the leading ransomware programs. Cerber infects systems via social media tricks such as spam email with malicious links or documents, malvertising campaigns, exploits of vulnerable websites, and also takes advantages of exploit kits like Angler, Nuclear, and others.

During our analysis of the new version, we found some new fields in the configuration file. In this post, we highlight the changes in the configuration files of Cerber Versions 1 and 2.
This snapshot shows a machine infected with Cerber 2.

20160815 Cerber 1

Machine infected with Cerber Version 2.

The extensions of encrypted files has changed from .cerber to .cerber2.

20160815 Cerber 220160815 Cerber 3

Partial lists of files infected with Cerber 1 and 2.

Why an update?
The ransomware author may have upgraded the malware because of the release of a decryption tool. The ransomware’s detection rate may have also increased; this version has a new packer (wrapper) to make it harder for security products and analysts to find and examine the malware.

Our analysis did not find many significant changes. This version likes to keep its component files (containing the public key and other data) on disk after the encryption process, whereas the previous version kept the component files only in the registry entries. Files and registry entries have the same content.

20160815 Cerber 4

Version 2’s component files in %appdata% and registry entries.

The location of the encrypted configuration file is updated from the resource section to the last section. We will discuss this further in a future post.

The configuration file
We observed some changes in the configuration files of the two versions. Most are related to encryption tags and antimalware products.

The first change that caught our eye is the addition of rc4_key_size in the encrypt tag. This value was previously calculated at runtime but now is included in the file. The author also updated the infected-files extension to .cerber2 and also modified the value of the rsa_key_size field. The following snippets show some of the changes.

20160815 Cerber 520160815 Cerber 6

Version 1 (left) and Version 2 encryption tags.

Version 2 includes a blacklist to fight against the security products. The av_blacklist tag in the configuration file contains a list of several vendors’ names.

20160815 Cerber 7

Version 2’s av_blacklist tag.

The new av_blacklist tag is reflected in the check tag as a flag in the configuration file.

20160815 Cerber 8

Check tag in Version 1.

20160815 Cerber 9

Check tag in Version 2.

Close_process list enhancements
Some applications use a locking mechanism to prevent other application from accessing or making changes in the files they access to maintain data integrity. Word for Windows does this, for example. To stop a locking mechanism from preventing the encryption of files, Cerber terminates such processes. The list of these processes is kept under the close_process list tag. In this version, Cerber enhances this list significantly, as shown below:

20160815 Cerber 10

The close_process tag in Version 1.

20160815 Cerber 11

The close_process tag in Version 2.

Wallpaper template
Version 2 adds a wallpaper tag, which is a template to create the desktop background on the victim’s machine. The variable fields—including TOR, SITE_N, and PC_ID—is updated at runtime.

20160815 Cerber 12

The wallpaper tag in Version 2.

Anti-VM techniques
Cerber is one of the most comprehensive malware in fighting virtual machines. Cerber detects popular VMs such as Parallel, QEMU, VMware, and VBox. One of the most interesting techniques (in both versions) is Cerber’s enumeration of the registry key “HKLM\SYSTEM\CurrentControlSet\Enum\PCI”:

20160815 Cerber 13
Accessing the registry: HKLM\SYSTEM\CurrentControlSet\Enum\PCI.

Each subkey of HKLM\SYSTEM\CurrentControlSet\Enum\PCI represents a PCI-bus connected device with the following format:

  • VEN_XXXX&DEV_XXXX&SUBSYS_XXXXXXXXX&REV_XX
    where VEN stands for Vendor ID in hexadecimal view and DEV stands for Device ID in hexadecimal view.

A table of virtual machines with known hardware vendor IDs:
 

Vendor Vendor ID
VMware 0x15AD
VBox 0x80EE
Parallel 0x1AB8

The following code snippet compares the subkey name with the VBox vendor ID.

20160815 Cerber 14
Checking the VBox vendor ID.

If Cerber finds any of the vendor IDs among registry key names, it stops and terminates itself.

Summary
Cerber is a popular form of ransomware. Given the changes we have observed in the configuration file, we also expect to see change in Cerber’s encryption techniques. We’ll discuss those soon in a further analysis.

Intel Security products detect Cerber under generic names such as Generic.* and BehavesLike.Win32.*.

The post Cerber Ransomware Updates Configuration File appeared first on McAfee.

Aug 15 2016

Linux bug leaves 1.4 billion Android users vulnerable to hijacking attacks

(credit: Ron Amadeo)

An estimated 80 percent of Android phones contain a recently discovered vulnerability that allows attackers to terminate connections and, if the connections aren't encrypted, inject malicious code or content into the parties' communications, researchers from mobile security firm Lookout said Monday.

As Ars reported last Wednesday, the flaw first appeared in version 3.6 of the Linux operating system kernel, which was introduced in 2012. In a blog post published Monday, Lookout researchers said that the Linux flaw appears to have been introduced into Android version 4.4 (aka KitKat) and remains present in all future versions, including the latest developer preview of Android Nougat. That tally is based on the Android install base as reported by statistics provider Statista, and it would mean that about 1.4 billion Android devices, or about 80 percent of users, are vulnerable.

"The tl;dr is for Android users to ensure they are encrypting their communications by using VPNs, [or] ensuring the sites they go to are encrypted," Lookout researcher Andrew Blaich told Ars. "If there's somewhere they're going to that they don't want tracked, always ensure they're encrypted."

Read 4 remaining paragraphs | Comments

Aug 15 2016

Linux bug leaves 1.4 billion Android users vulnerable to hijacking attacks

(credit: Ron Amadeo)

An estimated 80 percent of Android phones contain a recently discovered vulnerability that allows attackers to terminate connections and, if the connections aren't encrypted, inject malicious code or content into the parties' communications, researchers from mobile security firm Lookout said Monday.

As Ars reported last Wednesday, the flaw first appeared in version 3.6 of the Linux operating system kernel, which was introduced in 2012. In a blog post published Monday, Lookout researchers said that the Linux flaw appears to have been introduced into Android version 4.4 (aka KitKat) and remains present in all future versions, including the latest developer preview of Android Nougat. That tally is based on the Android install base as reported by statistics provider Statista, and it would mean that about 1.4 billion Android devices, or about 80 percent of users, are vulnerable.

"The tl;dr is for Android users to ensure they are encrypting their communications by using VPNs, [or] ensuring the sites they go to are encrypted," Lookout researcher Andrew Blaich told Ars. "If there's somewhere they're going to that they don't want tracked, always ensure they're encrypted."

Read 4 remaining paragraphs | Comments